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COUNTKRMKASURKS 


This  appendix  describes  count* measures  that  will  reduce  the  vulnerability  of 
en  ADP  facility*  The  countermeasures  deacribed  herein  are  a representative 
group  for  laproving  overall  coaputer  security.  They  are  to  be  uaed  to  aaelat 
ADP  inata llat Iona  in  performing  a risk  aaaeaeaent.  .The  foraat  for  each  of 
the  propoaed  countenaeaeurea  la  aa  follow*:  \ 


a*  Vulnerablllt 
facility. 


The  atateaent  of  a aecurlty  vulnerability  in  an  ADP 


b.  Countermeasure.  A brief  description  of  a security  countermeasure 
that  can  reduce  the  stated  vulnerability. 


c.  Confidence.  The  level  of  confidence,  e.g., 
can  be  placed  in  the  propoaed  counteraeaaur* 


Coat.  A qualitative  atateaent  of  the  cost  or  (if  possible)  dollar 
coats  that  would  be  Incurred  by  implementing  the  propoaed  counter- 
measure. Coat  figures  are  estimates  bssed  on  a cost  of  $60,000  per 
man-year. 


**  Caveats.  The  limitations,  unusual  risks,  dependencies,  and/or 
disadvantages  related  to  the  counteraeaaur*. 


Section  2.1  of  this  appendix  contains  references  (applicable  policy  and/or 
technical  reference)  pertaining  to  each  countermeasure. 


1.2.1  Security  Audit  Trails 


Vulnerability.  Deficient  protection  features  for  the  operating  system  nay 
allow  actual  or  attempted  security  violations  to  go  undetected  without  an 
adequate  audit  trail  capability. 

Countermeasure . Establish  an  audit  trail  capability  and  ADP  system  security 
officer  (ADPSSO)  review  process.  The  audit  trail  should  provide  accurate 
Information  on  security-related  transactions.  Pram  the  data  contained  in  the 
audit  trail,  the  ADPSSO  should  be  able  to  answer  the  following  questions: 

a.  Who  attempted  to  log  onto  the  system  (name,  user  (D,  password,  time  of 
of  day,  terminal  Identification  [If  applicable))? 

b.  Who  was  on  the  system  (name,  user  ID,  password,  time  of  day,  terminal 
identification  [If  applicable])? 

c.  What  files  were  requested? 

d.  What  was  the  nature  of  the  access  — read,  write,  execute,  append,  or 
delete? 

e.  What  files  were  created? 

f.  Was  any  output  produced? 

g.  What  date  and  time  did  a transaction  occur? 

Once  an  appropriate  data  base  has  been  built,  it  is  possible  for  the  ADPSSO 
to  check  the  current  audit  trail  against  historical  use  patterns  and  identify 
security-related  exceptional  usage  patterns.  Note  that  it  may  be  difficult 
to  identify  security  violations  as  such  and  that  an  audit  trail  may  not 
be  feasible  in  some  systems. 

Confidence.  An  average  security  audit  package  is  rated  low  to  medium. 

Cost.  If  the  software  currently  in  use  supports  audit  trail  information 
gathering  and  journalizing,  the  main  cost  of  establishing  an  audit  trail  will 
be  in  the  area  of  computer  system  overhead.  If  audit  trail  information- 
gathering  and  journalizing  software  has  to  be  written,  the  cost  associated 
with  this  countermeasure  may  range  from  two  to  four  man-years  of  effort 
($120,000  to  $240,000).  In  either  case  once  software  is  implemented  to  create 
an  audit  trail,  there  will  be  a need  for  additional  personnel  time  for 
analyzing  the  data.  A large  system  may  need  one  person  at  half-time  ($30,000). 


The  costs  associated  with  ths  software  development  to  support  this  counter- 
measure would  probably  be  more  than  any  one  site  would  consider  reasonable. 

To  bring  down  costs  for  any  one  site,  costs  of  software  development  can  be 
shared  by  several  sites  with  similar  hardware  and  system  software 
configurations. 

Caveats.  An  audit  trail  can  provide  a deterrent  effect,  but  that  effect  can 
be  lost  If  It  becomes  generally  known  that  the  audit  trail  Is  not  subject  to 
scrutiny. 

An  audit  trail  provides  little  defense  against  software  penetration. 

The  level  of  confidence  for  auditing  depends  on  the  protection  afforded  to 
the  audit  software.  If  the  software  can  be  easily  disabled,  the  confidence 
Is  lower. 

1.2.2  Threat  Monitoring. 

Vulnerability.  Inadequate  protection  features  for  an  operating  system  may 
Invite  unauthorised  access  to  the  system,  misuse  of  resources,  or  other 
undesirable  activities. 

Countermeasure.  Threat  monitoring  Is  a preventive  measure  that  can  recognise 
an  attack  and  quickly  notify  an  appropriate  authority.  Notification  may  be 
by  an  alarm  on  the  operator's  console,  a message  to  the  operator  or  ADPSSO 
(If  on-line),  or  an  automatic  dial-up  of  the  security  officer's  phone  number. 

Threat  monitoring  (or  a surveillance  program)  Is  installed  as  software  that 
has  access  to  appropriate  security  Information  about  the  users,  flies,  and 
processes  of  the  system.  The  software  constantly  monitors  the  activities 
of  the  system  and  attempts  to  recognise  unusual  activities  or  patterns. 

When  threat  monitoring  Is  advertised  as  an  operating  system  feature.  It  can 
serve  as  a usaful  deterrent  to  unauthorised  activities. 

Confidence.  This  countermsasure  Is  given  a medium  level  of  confidence. 
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Coat*  A nurvclllrtnce  |>rogrua  ol  IIiIn  type  require**  trim  12  to  24  wont  ha 
of  development  effort  ($60,000  to  $120,000).  A hardware  feature  to  eound  an 
• Ur*  or  dial  a security  officer  when  a violation  takes  place  may  cost  up  to 
an  additional  $3,000. 

Caveats.  A threat  monitoring  program  can  be  expected  to  degrade  the  perfor- 
mance of  an  operating  system  by  interrupting  normal  processing  to  monitor 
security.  The  extent  of  the  degradation  depends  upon  the  nietber  of  activities 
monitored,  the  frequency  of  monitoring,  and  the  resources  used  to  evaluate 
the  legitimacy  of  system  activities. 

A threat  monitor  will  not  provide  substantial  defense  against  software 
penetration. 

1.2.3  Residue  Control 

Vulnerability.  An  operating  system  may  allow  sensitive  information  to  remain 
In  public  primary  and  secondary  storage.  This  Information  may  be  compromised 
by  browsing1  attacks. 

Countermeasure . Purge  or  erase  all  publicly  accessible  storage  areas  before 
allowing  a program  to  use  them.  A software  program  can  erase  storage  areas, 
e.g. , sort  work  areas,  temporary  data  files,  Input/output  buffers.  Some 
computers  may  provide  a hardware  clear  switch  for  manually  clearing  memory. 

Confidence.  A high  level  of  confidence  can  be  placed  in  this  countermeasure. 

Cost.  Software  development  costs  can  range  from  one  month  to  several  years  of 
effort  ($3,000  to  $300,000).  The  Clear  Memory  Utility  (CMU)  project  for  the 
Honeywell  6000  series  required  approximately  6 man-years.  CMU  cleared  main 
memory,  control  processor  registers,  and  the  mlcroprogrammable  controllers 


* Browsing  is  defined  as  searching  through  storage  to  locate  or  acquire 
information  without  necessarily  knowing  of  the  existence  or  the  format 
of  the  information  being  sought. 
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between  periods  of  secure  processing  for  the  World  Wide  Military  Command 
and  Control  System  (WWMCCS). 


Caveats*  Associated  with  this  countermasure  will  be  the  overhead  to  execute 
the  software. 

This  countermasure  Is  not  to  be  confused  w.  • h the  overwrite  of  storage  or 
mgnetlc  mdia  prior  to  Its  physical  release  to  an  uncleared  facility.  Because 
of  the  hysteretic  properties  of  mgnetlc  memory  and  storage  media,  a single 
overwrite  in  that  case  Is  not  sufficient.  Additional  measures  must  be  used 
to  prevent  previously  stored  data  from  being  recovered  under  laboratory 
conditions. 

1.2.4  Log-on  Attempts 

Vulnerability.  Systems  my  be  deficient  by  permitting  an  unlimited  number 
of  log-on  attempts.  An  unauthorized  user  who  is  trying  to  log-on  by  guessing 
the  log-on  procedure  my  go  unnoticed  by  the  system.  If  the  unauthorized  user 
does  guess  the  log-on  procedure  or  password,  the  system  becomes  susceptible  to 
compromise. 

Countermeasure . Several  approaches  can  be  associated  with  the  number  of  allow- 
able unsuccessful  attempts  to  log-on  to  the  computer  system.  They  Include  the 
following  alternatives: 

a.  Permitting  an  unlimited  number  of  attempts. 

b.  Allowing  one  attempt  and  then  automatically  locking  the  terminal  out  of 
the  system. 

c.  Specifying  a fixed  number  of  attempts  and  then  automatically  locking 
the  terminal  out  of  the  system. 

d.  Surveillance  of  the  terminal  session  after  several  failed  attempts. 
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Hie  decision  of  how  puiny  attempts  to  allow  a user  to  log-on  to  a computer  system 
Is  a policy  decision  for  the  host  system's  ADPSSO  to  enforce. 


Confidence.  Alternative  a provides  no  confidence.  A very  high  level  of 
confidence  Is  gained  by  J>  or  £.  A high  level  of  confidence  can  be  placed 
In  £ If  no  more  than  two  or  three  attempts  are  allowed. 

Cost.  The  cost  associated  with  this  countermeasure  depends  on  whether  the 
current  software  supports  the  counting  of  attempted  log-ons.  If  the  necessary 
software  is  in  place  and  only  the  number  of  unsuccessful  attempts  has  to  be 
changed,  the  cost  may  be  less  than  $100.  If  the  software  must  be  developed, 
the  cost  of  developing  or  purchasing  the  required  software  should  be  less 
than  $5,000.  Sharing  the  cost  over  several  Installations  with  comparable 
software  and  requirements  can  reduce  the  cost  per  installation. 

Caveats.  The  number  of  log-on  attempts  to  be  permitted  will  vary  depending 
on  Buch  things  as  the  following: 

a.  The  trustworthiness  of  users. 

b.  How  closely  the  terminal  areas  are  monitored. 

c.  The  sensitivity  of  the  data  contained  in  the  system. 

d.  Whether  or  not  dial-up  access  is  provided. 

1.2.5  Remove  Vendor-Supplied  Passwords. 

Vulnerability.  Most  vendor-supplied  software  comes  with  standardized  and  well- 
known  Imbedded  passwords.  Vendor-supplied  passwords  are  often  provided  with 
operating  system  software,  data  management  and  file  systems,  and  various  utility 
packages.  These  standardized  passwords  serve  to  facilitate  the  installation 
of  such  software.  A large  community  of  users  knows  these  passwords.  If  they 
are  not  changed  the  system  can  be  penetrated  easily. 

Countermeasure.  Change  the  imbedded  passwords  that  come  with  the  vendor  soft- 
ware. Provide  unique  passwords  for  each  site  and  protect  them  to  the  highest 
level  and  most  restrictive  category  of  information  processed  by  the  ADP 
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system.  Passwords  should  be  randomly  generated  and  distributed  by  the  ADPSSO 
or  n delegated  member  of  the  officer's  staff. 


Confidence.  Knndomly  generated  passwords  rate  a high  level  of  confidence. 
User-selected  passwords  are  rated  from  low  to  medium. 

Coat.  The  cost  of  generating  random  passwords  to  replace  the  vendor-supplied 
passwords  is  less  than  $500. 

Caveats.  A mathematically  sound  random  number  generator  and  a well-administered 
distribution  scheme  can  be  negated  by  careless  employee  practices,  such  as 
falling  to  safeguard  passwords.  In  some  cases,  randomly  generated  passwords 
are  unpronounceable  or  hard  to  remember.  Such  passwords  tend  to  get  written 
down,  thus  becoming  subject  to  compromise. 

1.2.6  Password  Protection  from  Visual  Observation. 


Vulnerablll ty.  If  the  password  of  an  authorized  user  of  a system  Is  displayed 
on  a terminal  screen,  on  the  terminal  hardcopy,  or  on  the  batch  hardcopy,  the 
password  may  be  compromised. 


Systems  may  be  deficient  by  not  providing  this  basic  protection. 


Countermeasure.  Provide  a mechanism  to  protect  passwords  from  being  displayed 
on  the  terminal  screen  or  hardcopy.  Provide  software  that  will  either  suppress 
printing  of  the  password  when  entered,  or  present  a strikeover  field  onto  which 
the  terminal  operator  can  enter  a password. 

In  the  case  of  password  protection  for  batch  jobs,  modify  the  job  control 
language  (JCL)  handlers  so  that  the  password  is  removed  before  the  JCL  cards 
are  printed  as  part  of  the  execution  report.  Card  decks  containing  passwords 
must  have  procedural  safeguards. 
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Confidence.  Suppressing  the  printing  of  the  password  gains  a high  level  of 
confidence.  Other  protection  mechanisms  are  rated  medium. 
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Coat.  The  coat  for  developing  software  to  euppreee  password  printing  requires 
one  to  two  man-months  ($5,000  to  $10,000), 


Caveats.  This  countermeasure  will  not  prevent  employees  from  sharing  peeeworde 
or  froai  writing  the  peeeworde  on  desk  pads,  celendere,  or  from  diecarding  card 
decka  containing  peeeworde. 


Operating  system  flawa  nay  permit  unauthorised  acceaa  to  aen- 
Inadequate  protection  of  off-line  magnetic  media  euch  ae  tapea 
and  dieke  may  reeult  in  an  unauthorised  disclosure. 


Vulnerebilit 


Countermeasure.  Sensitive  data  files  can  be  encrypted  to  reauce  cue 
icy  of  compromise  through  disclosure.  Cryptographic  schemes  can  also  provi< 
an  indication  that  filea  have  been  modified.  This  countermeasure  provides 
protection  while  filee  are  in  an  encrypted  state.  However,  while  filea  are 
being  processed  as  cleartext  (unencrypted),  this  countermeasure  provides  no 
protection.  The  possibility  of  compromise  is  reduced  since  the  information 
in  t h.  h in  annnara  aa  cleartext  onlv  while  being  processed.  The  National 


Confidence.  This  countermeasure  provides  very  high  confidence  that  encrypted 
files  will  not  be  disclosed  due  to  loss  of  an  off-line  medium.  Confidence 
against  disclosure  due  to  operating  system  flaws  is  medium. 


Cost.  The  use  of  the  DBS  in  software  is  not  approved  at  this  time.  Approved 
hardware  implementations  are  available  from  the  Collins  Group  of  Rockwell 
International,  IBM,  Motorola,  Intel,  Burroughs,  and  Fairchild.  Contact  these 
vendors  to  obtain  cost  figures. 


Caveats.  An  approved  encryption  device  must  be  used  in  conjunction  with 
special  administrative  and  key  management  procedures  to  provide  secure 
operation.  The  encryption  keys  must  be  protected  at  all  times* 


1.2.8  Until  Mow  Protection 


Vulnerability.  Without  proper  data  has*  protect  loo  moasuri'N,  information 
contained  within  a data  base  may  he  compromised.  Data  bases  may  ho  compro- 
mised by  ashing  a not  of  quarlaa  which  return  only  statistical  Information 
and  making  lnterencea  about  a specific  entry  from  the  results  of  the  set  of 
queries. 

Countermeasure.  Several  methods  may  be  applied  to  reduce  the  possibility  of 
compromise  of  a data  base. 

a.  Inoculate  the  data  with  random  errors  to  make  the  data  base  less 
precise.  The  majority  of  the  data  must  be  Inoculated  ao  that  Individual 
records  are  not  necessarily  accurate,  but  that  the  overall  data  base  Is 
atlll  accurate  for  statistical  analyses. 

b.  Use  threat  monitoring  and  logging  to  detect  attempts  to  compromise  data. 
Por  example,  check  unusual  overlap  patterns  created  by  successive  queries. 

c.  Identify  the  public  characteristics  of  an  Individual  Item  on  the  data 
base.  Permitting  queries  on  a subset  of  these  characteristics  will  prevent 
an  unauthorised  user  from  determining  the  individual  item.  However,  It  is 
possible  to  deduce  a small  range  of  values  for  the  Individual  Item  and  then 
use  outaide  Information  to  determine  the  exact  value  (see  reference  a). 

d.  Use  Urk  files  to  separate  Identifying  characteristics  of  data  Items 
from  the  statistical  data  associated  with  each  Item.  One  file  contains 
the  Identifying  characteristics  of  a data  baas  item.  Another  file  contains 
statistical  data  associated  with  the  data  base  Item.  A link  file  matches 
the  contents  of  these  two  files.  Separating  the  data  base  in  this  way 
makes  It  more  difficult  to  associate  specific  data  itema  with  Identifying 
information. 

a.  Restrict  the  types  of  queries  that  can  be  made  against  the  data  base. 

Por  example,  do  not  allow  queries  against  certain  combinations  of  data  items. 
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Restrict  queries  against  mui  1 1 euhectH  of  this  data  baa*.  Certain  subsets 
of  tha  data  base  may  have  strong  Individual  characterise  lea. 

Confidence.  Countermeasure  a la  rated  medium.  Countermeasures  b and  £ are 
rated  low.  Countermeasures  £ and  e are  rated  from  medium  to  high. 

Cost.  The  costs  for  developing  J>  can  range  from  one  to  two  man-years  of 
effort  ($60,000  to  $120,000).  Costs  for  a and  £ are  primarily  in  analysis 
work.  An  expected  range  may  be  from  one  to  four  man-weeks  ($1,250  to  $5,000). 
Costs  for  countermeasure  d are  development  costa  and  range  from  three  to 
six  man-months  ($15,000  to  $30,000). 

Caveats.  Techniques  to  compromise  data  bases  are  quite  sophisticated  and  are 
far  more  advanced  than  most  countermeasures  that  can  be  readily  implemented  to 
protect  data  bases.  This  type  of  countermeasure  can  serve  to  deter  unsophisti- 
cated attempts  to  compromise  a data  base. 

1.2.9  Periodic  Inspections  of  Software. 

Vulnerability.  Software  may  have  Intentionally  placed  trojan  horses,  trap 
doors,  or  similar  modifications  that  can  cause  unauthorised  disclosure, 
unauthorised  modification,  destruction  of  data,  or  denial  of  service. 

Countermeasure.  Conduct  periodic  inspections  of  software  in  several  ways 
such  as  the  following! 

a.  Hake  visual  inspections  of  program  listings  and  files  to  detect  unusual 
Instances  of  data  or  software. 

b.  Perform  automated  code  matches.  A program  can  be  developed  to  compare 
files  for  exact  matches.  These  files  can  contain  software  or  data. 

c.  Verify  the  date  that  a file  was  last  modified.  Compare  this  date 
against  the  date  when  the  file  was  last  modified  for  authorised  purposes. 
This  countermeasure  requires  that  the  system  is  able  to  maintain  the  last 
date  of  access  to  a file. 


d.  Compute  and  aacuraly  store  checksums  of  software  and  data  flies. 

Then  periodically  checksum  each  file  and  compare  the  result  to  the  stored 
checksum.  A checksum  Is  coaputed  based  on  a portion  of  the  data  In  each 
record* 

Confidence.  Countermeasures  »,  b,  and  are  rated  medium.  Countermeasure 
£ Is  rated  low. 

Cost.  Costs  for  countermeasures  £ and  £ are  primarily  personnel  time.  For 
each  inspection  the  cost  should  average  $600  (2.5  man-days).  Costs  for 
countermeasures  j>  and  <i  are  primarily  software  development  and  the  machine 
time  to  perform  the  Inspection.  Countermeasure  b should  cost  about  $5,000 
(one  man*mionth  of  development).  Countermeasure  <J  should  cost  only  about  $1,250 
(one  man-week  of  development  effort). 

Caveats.  Confidence  In  these  countermeasures  depends  on  the  secure  storage 
of  original  software,  data,  checksums,  and  lists.  Confidence  and  cost 
depend  on  the  detail  and  frequency  of  the  inspections. 

1.2.10  Controlling  Use  of  Assembler  Language  Coding. 

Vulnerability.  Software  may  be  developed  to  penetrate  the  operating  system. 
Assembly  language  provides  the  most  direct  access  to  hardware  and  software 
features  that  may  be  manipulated  to  penetrate  the  operating  system. 

Countermeasure.  The  following  alternatives  may  be  used  to  minimise  the 
vulnerability  to  operating  system  penetration  by  means  of  assembly  programs: 

a.  Remove  the  assembler  language  processor  from  the  ADP  system. 

b.  Control  access  to  the  assembler  language  processor  through  the  use  of 
passwords  (limit  the  issuance  of  these  passwords  to  those  programers,  e.g. , 
system  programers,  who  have  a valid  requirement  to  uae  assembler  language). 

c.  Place  the  assembler  language  processor  on  an  off-line  storage  medium  so 
that  it  cannot  be  used  without  the  active  cooperation  of  the  computer  console 
operators  who  will  have  to  mount  the  off-line  storage  medium. 
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Confidence.  Countermeasure  a la  rated  vary  high,  b la  medlia,  and  c la  high. 

Coat.  Each  of  the  above  countermeasures  ahould  coat  leaa  than  $1,000  to 
Implement.  A poaaible  exception  la  b,  If  the  system  In  use  does  not  already 
support  password  protection.  In  this  case,  the  cost  can  be  expected  to  exceed 
$10,000  for  the  cost  of  procuring  new  system  software. 

Caveats.  Host  applications  programs  can  be  written  In  a higher  order  language. 
So«®  application  programs  must  use  assembly  language.  Examples  Include  real- 
time programs,  terminal  handlers,  or  data  base  manipulation  programs. 

This  countermeasure  does  not  address  the  problem  of  using  a higher  order 
language  to  create  executable  code  and  then  transferring  control  to  that 
code. 


1.2.11  Two-Person  Control 


Vulnerability.  Deficient  security  procedures  may  permit  unauthorised  modifi- 
cations to  be  made  to  system  software  that  controls  log-on  procedures,  pass- 
word verification  and  replacement,  audit  trail  Journalising,  and  storage 
purging.  Unauthorised  modifications  are  more  easily  accomplished  If  the 
update  procedure  can  be  accompllahed  by  a single  Individual. 

Countermeasure.  Require  more  than  one  person  to  make  modifications  to  system 
software  that  controls  log-on  procedures,  password  verification  and  replace- 
ment, audit  trail  journalising,  and  storage  clearance.  A second  qualified 
individual  should  authorise  or  supervise  modifications  that  are  being  made. 

Confidence.  With  two-person  control  of  system  software,  a medium  to  high  level 
of  confidence  can  be  assured  that  unauthorised  modifications  are  not  being  made. 

Cost.  The  costs  for  this  countermeasure  will  be  for  the  Increased  personnel 
requirements. 

Caveats.  To  the  extent  poaaible,  this  countermeasure  should  also  be  applied 
to  application  programs. 


u 


o 


1.2.12  Periods  Processing. 

Vulnerability.  Host  genera l-purpose  operating  systems  «lo  not  provide  adequate 
controls  to  keep  users  from  gaining  unauthorized  access  to  data. 

Countermeasure . When  several  levels  of  classified  or  sensitive  information 
must  be  processed,  consider  implementing  periods  processing.  Periods  pro- 
cessing is  defined  as  a period  of  time  during  which  information  of  a given 
security  level  is  processed.  Each  classification  level  is  processed  at 
different  times  and  the  system  is  purged  between  periods.  This  requires 
a well-conceived  and  carefully  followed  checklist  for  shifting  from  period 
to  period  (see  1.3.3,  Hardware  Configuration  Control).  Periods  processing 
requires  procedural  controls  to  insure  that  all  users  are  cleared  for  the 
highest  classification  and  most  restrictive  category  of  information  being 
processed  during  the  period. 

Confidence.  A very  high  level  of  confidence  can  be  gained  that  an  unauthorized 
access  will  not  occur  because  of  Improper  classification  level. 

Cost.  The  costs  of  this  countermeasure  include  the  administrative  task  of 
developing  the  necessary  procedures  for  implementing  periods  processing  and  lost 
computer  time  while  shifting  from  one  period  to  another. 

Caveats.  There  are  several  disadvantages  in  periods  processing: 

a.  The  computer  is  not  available  during  the  switch-over  between  periods. 

This  may  represent  a significant  overhead  cost  in  terms  of  lost  processing 
time. 

b.  Separate  versions  of  the  operating  system  software,  with  unique 
classification  level  requirements,  must  be  used  and  maintained  for  each 
period. 

c.  The  ADP  system  will  be  available  to  individual  users  only  during  their 
authorised  periods. 


d.  The  turnaround  tine  for  pari  ten Inr  Jobe  may  bo  very  lengthy 


u 

(•  The  procedure*  to  purge  the  system  when  chsnglng  periods  msy  be  exten- 
sive, costly,  and  prone  to  error. 


1.2.13  Testing  end  Debut 


Vulnerability.  The  procedures  for  testing  end  debugging  software  must  may  be 
Inadequate.  If  there  Is  a software  failure  during  program  testing  or  debugging, 
It  may  be  difficult  to  ascertain  the  state  of  the  computer  and  Insure  the 
Integrity  of  data  that  was  on-line  or  otherwise  readily  accessible.  In  the 
period  of  ayatem  Instability  during  a software  failure,  normal  system  safeguards 
may  not  be  In  effect.  Data  may  be  disclosed  Inadvertently,  e.g. , mlsrouted 
to  an  unauthorised  user. 

Countermeasure.  Two  sets  of  countermeasures  can  be  employed,  one  set  for 
systems  programs,  the  other  for  application  programs. 

a.  System  programs.  The  testing  and  debugging  of  system  software  programs 
should  be  performed  Initially  during  dedicated  time  In  a controlled 
environment.  If  operational  user  files  are  required  for  testing,  copies 

of  these  files  should  be  used.  Operational  testing  may  be  carried  out 
when  quality  assurance  personnel  are  satisfied  that  the  programs  are 
operating  reliably. 

b.  Application  programs.  The  testing  and  debugging  of  applications 
programs  may  be  permitted  during  nondedlcated  times,  but  only  copies  of 
data  files  should  be  used. 

Confidence.  The  proposed  countermeasures  insure  a medium  level  of  confidence 
that  users  will  not  be  seriously  Interrupted  and  that  data  contamination  will 
not  occur  during  program  testing  and  debugging. 

Cost.  The  costs  associated  with  these  countermeasures  are  variable.  They  are 
administrative  in  nature;  that  is,  the  separation  of  production  and  debugging 
time  must  be  enforced.  Also,  some  time  Is  lost  to  users  when  the  system  Is 
dedicated  to  the  testing  and  debugging  of  system  programs. 
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1.2.14  Security  Editing  and  Account! 


Vulnerability.  Deficient  input/output  procedures  nay  danage  the  integrity  of 
operational  files.  As  a result,  incorrect  decisions  nay  be  nade  based  on  the 
invalid  data. 

Counte measure . Use  strong  edit  and  transaction  accounting  features  to  insure 
data  integrity.  Sone  of  these  features  are  the  following: 

a.  Control  on  Input  such  as  transaction  counts,  batch  totals,  card  verifier 
operations  separate  fron  keypunching,  self-checking  nunber  device  on  key- 
punch, and  nachlne-readable  document  input.  Types  of  Input  valldiation 
checks  Include:  character  checks,  such  as  testing  for  numeric,  alphabetic, 
or  specific  character  group,  blanks,  field  separators  or  special  characters 
and  the  proper  or  valid  arithmetic  sign;  field  checks  such  as  testing 

for  limits,  ranges,  valid  item,  consistency,  sequence,  etc. 

b.  Controls  on  processing  such  as  transaction  counts,  batch  control 
totals,  hash  totals  for  batch,  validation  by  file  reference  (does  a 
record  exist  for  this  item?),  consistency  checks  (does  this  item  agree 
with  previously  stored  data?),  control  on  rounding  errors,  etc. 

c.  Control  on  ouptut  such  as  item  counts,  control  totals,  trailer  labels 
on  data  sets,  control  records,  serial  numbers  on  documents,  e.g.,  checks 
or  invoices. 

Labels  on  tapes  or  discs  may  contain  label  identifier,  file  number, 
batch  number,  creation  date,  retention  cycle  (son,  father,  grandfather), 
volune  number,  e.g.,  reel  number,  a count  of  the  records  on  the  file. 

Examples  of  an  input/output  control  group’s  typical  responsiblities  include 
the  following: 

(1)  Log  in  jobs  received  for  processing  from  user  departments. 
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(2)  Check  document  count*  and  control  totals  of  work  received 


(3)  Notify  uavr  department  tluit  tin*  work  hud  boon  received  and 
Indicate  whether  the  count  a and  totals  are  correct. 

(4)  Note  any  work  that  was  due  but  not  received. 

(5)  Note  and  initiate  action  on  any  improper  preparation  by  the  user 
departments,  such  as  failure  to  provide  counts  or  totals. 

(6)  Submit  documents  to  be  keypunched  or  entered  onto  tape  or  disk. 

Confidence.  Strong  edit  and  accounting  features  cannot  totally  prevent  the 
subtle  alteration  or  corruption  of  data.  However,  a high  level  of  confidence 
can  be  assured  that  well-conceived  procedures  can  detect  most  input  and 
output  data  errors. 

Cost.  Costs  will  be  primarily  for  development  and  programming.  Depending  upon 
the  level  of  detail  for  the  Integrity  controls,  the  costs  can  range  from  two 
man-weeks  ($2,500)  to  six  man-months  ($30,000). 

Caveats.  Edit  and  accounting  features  will  degrade  system  performance 
slightly  by  requiring  added  processing  of  Input/output. 

1.2.15  Software  Engineering  Tools. 

Vulnerability.  The  failure  of  software  to  perform  according  to  requirements 
has  the  potential  to  compromise  security.  Software  failure  may,  for  example, 
destroy  the  integrity  of  data  bases  or  allow  inventory  shortages  to  go  unnoticed. 

Countermeasure.  Below  is  a representative  sampling  of  the  many  software  tools 
available.  These  tools  aid  the  development  process  to  provide  increased  con- 
fidence that  software  will  perform  reliably  and  in  accord  with  requirements. 

a.  HI SOS  (Research  In  Secure  Operating  Systems,  project  at  Lawrence  Liver- 
more Labs)  tools  tier*  developed  to  analyse  assembly  language  programs. 


Analytical  tools  available  In  R1S0S  Include  a program  that  counts  occurrences 
of  a specified  symbol,  a program  that  Identifies  the  control  flow  and  flags 
specified  Items,  and  a program  that  locates  Instruction  patterns.  These  are 
some  of  the  very  few  software  engineering  tools  developed  specifically  for 
security. 

b.  Software  quality  measures  are  computer  programs  that  examine  a program 
to  generate  a quantifiable  measure  of  the  program's  quality.  This  allows 
testers  to  reject  programs  with  quality  measures  that  are  outside  a certain 
range,  on  the  assumption  that  program  reliability  decreases  as  quality 

decreases. 

c.  Self-metric  software  examines  the  source  code  of  a computer  program 
and  inserts  software  measurement  probes.  The  software  probes  help  testers 
estimate  the  extent  to  which  a program  has  been  tested  by  some  set  of  test 
data.  Data  gathered  from  such  probes  might  indicate  the  number  of  times 
a loop  mbs  executed,  the  entry  and  exit  values,  and  the  test  stimuli  provided. 

d.  Test  data  generators  are  computer  programs  that  generate  test  cases 
to  be  used  in  the  testing  of  software.  These  programs  range  from  utility 
type  programs  that  generate  sequences  of  alphanumeric  and/or  numeric  data 
based  upon  parametric  inputs,  to  entire  systems  that  lnterpretlvely  examine 
the  flow  through  a program  and  attempt  to  generate  appropriate  sequences  of 
test  cases. 

e.  Audit  programs  Insure  that  programs  conform  to  a given  set  of  programing 
standards.  Programs  that  deviate  significantly  may  be  more  difficult  to 
understand  and  may  have  flaws  that  could  affect  security. 

f*  Trace  programs  record  data  such  as  program  variables  or  events  that  can 
assist  In  program  debugging  and  valldlation. 

Confidence.  Confidence  placed  in  these  tools  ranges  from  low  to  high. 

Coat.  Tools  that  are  readily  available,  such  as  those  developed  for  the  U.S. 
Government,  may  be  obtained  at  no  coat.  Other  tools  may  be  purchased  or 
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leased.  Contact  the  supplier  of  these  tools  for  cost  information.  Develop 
ment  cost  of  tools  can  range  from  one  to  four  years  ($60,000  to  $240,000). 


Implementation  costs  vary  for  each  tool  and  range  from  one  man-day  to  two 
man-weeks  of  effort  ($250  to  $2,500),  depending  on  system  compatabillty. 


Application  of  the  tool  varies  depending  upon  the  effort  made  In  developing 
test  cases,  standards  or  criteria.  Costs  may  range  from  one  man-day  to  a 
man-week  of  effort  ($250  to  $1,250). 


Caveats.  Different  softwsre  engineering  tools  accomplish  different  goals. 

The  confidence  placed  in  each  tool  Is  based  upon  the  expected  Improvements  in 
reliability  and  conformance  with  requirements  as  a result  of  using  the  tool. 


1.2.16  Secure  Subsystems 


Vulnerability.  Host  general-purpose  operating  systems  are  unable  to  enforce 
security  policies  without  stringent  administrative  and  procedural  controls. 
Uenerally,  it  is  impractical  to  retrofit  security  into  existing  operating 
systems  by  attempting  to  correct  all  known  flaws. 


Countermeasure.  A secure  subsystem  approach  may  provide  an  adequate  level 
of  security  if  most  of  the  users  of  a computer  system  are  application  program 
(subsystem)  users  and  have  no  need  for  a general  programming  capability. 

Secure  subsystems  divide  users  who  sre  concurrently  active  in  a computer 
into  isolated  groups  that  support  distinct  operational  missions.  User  group 
Isolation  restricts  access  to  security-related  objects  based  upon  the  different 
need  of  each  user  to  know  the  Information  contained  within  the  objects.  Such 
differentiation  can  be  Important  even  if  the  users  who  are  to  be  isolated 
have  identical  security  clearances.  In  certain  benign  environments,  secure 
subsystems  can  also  justify  a limited  form  of  multilevel  operation.  A single- 
level  secure  subsystem  could  be  certified  to  operate  at  a level  lower  than 
the  system-high  level  to  support  a set  of  users  cleared  only  to  the  level 
of  the  secure  subsystem. 


Tilt* ho  Huh systems  would  provent  it  iihot  from  escaping  Iron  the  subsystem. 
Moreover,  the  subsystem  would  provide  security  controls  that  may  bo  lacking 
in  the  operating  system. 

Confidence.  Secure  subsystems  assure  a high  level  of  confidence  that  the 
users  of  the  subsystea  are  protected  adequately  from  each  other. 

Coat.  The  costs  associated  with  this  countermeasure  are  unknown  but  can  be 
assumed  to  he  high.  Costs  will  vary  based  upon  the  number  of  subsystems  to 
be  secured.  The  cost  can  be  expected  to  be  not  less  than  $500,000.  The  cost 
may  be  shared  by  several  Installations  having  comparable  software  requirement 

Caveats.  Secure  subsystems  protect  users  from  each  other  but  they  do  not 
guarantee  protection  from  penetrators  outside  the  subsystem. 

1.2.17  Security  Kernel. 

Vulnerability.  Most  operating  systems  have  weak  security  features.  Programs 
may  subvert  the  operating  system  to  gain  unauthorized  access  to  data  or  a 
faulty  operating  system  may  malfunction,  such  as  by  misrouting  data. 

Countermeasure.  For  highly  sensitive  systems,  consider  employing  a software 
security  kernel.  A security  kernel  is  designed  to  mediate  all  access  within 
the  system  and  can  generally  be  defined  as  the  security  policy  enforcing 
code.  Some  characteristics  of  a kernel  are  that  It  is  always  invoked,  it  is 
tamper  proof,  and  it  is  small.  A small  kernel  is  desired  because  formal 
specification  and  verification  techniques  are  applied  to  prove  consistency 
of  successive  levels  of  the  design.  It  is  extremmely  difficult  to  verify 
formally  a large  body  of  specifications  or  code. 

Confidence.  The  level  of  confidence  to  be  placed  in  a security  kernel  is 
very  high. 

Cost.  The  costs  to  design,  implement,  and  verify  a security  kernel  are 
probably  beyond  the  resources  of  any  one  organization.  Costs  may  approach 
several  million  dollars.  However,  if  the  costs  can  be  shared  by  enough 


organizations  with  similar  hardware  and  aoftware  the  cost  per  organization 
can  be  reduced  substantially*  The  KSOS  effort  Is  to  provide  an  off-the- 
shelf  security  kernel* 

Caveats*  The  security  kernel  Is  still  a relatively  new  concept  and  there 
are  few  in  existence.  There  are  also  unresolved  questions  concerning  the 
effects  of  a kernel  on  systea  performance,  the  cost  of  formal  verification, 
and  the  ability  to  maintain  the  software. 

1.2.18  Virtual  Machine  Monitors  (VMM) 


Vulnerability.  Many  operating  systems  do  not  provide  the  level  of  protection 
required  for  certain  applications. 


Countermeasure.  A virtual  machine  monitor  (VMM)  can  Isolate  users  from  each 
other  and  offer  a level  of  protection  that  most  operating  systems  cannot. 

The  VMM  offers  each  user  of  the  system  its  own  virtual  machine.  Each  virtual 
machine  is  provided  by  the  VMM  with  a virtual  CPU,  virtual  memory,  virtual 
input/output  channels,  virtual  devices,  and  virtual  unit  record  equipment. 

A VMM  does  the  following: 


a.  Interprets  and  executes  privileged  instructions. 

b.  Verifies  Input/output  addressing  and  simulates  the  input/output  devices. 

c.  Allocates  hardware  resources. 


I 
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VMM's  are  commercially  available  from  various  vendors.  The  security  of  the 
systems  is  generally  better  than  si^i  opetating  systems.  A secure  VMM  (ref- 
erence e)  is  under  development  and  should  be  comparable  to  a security  kernel. 

Confidence.  The  level  of  confidence  is  high  that  a VMM  Isolates  users  from 
each  other. 


i \ 


Cost.  A VMM  that  must  be  retrofitted  into  a current  system  would  cost 
at  least  $500,000. 
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VMM's  would  not  be  feasible  for  systems  that  require  frequent 
Interaction  among  programs.  Also,  the  system  overhead  for  the  VMM  Is  sig 


Caveats 


1.2.19  Password  File  Encryption 


Vulnerabllit 


The  file  access  control  mechanisms  In  most  general-purpose 
operating  systems  may  not  prevent  a skilled  penetrator  from  obtaining  the 
on-line  password  file.  This  may  lead  to  a penetration  of  the  computer 
system  and  the  unauthorized  disclosure  of  information. 


Countermeasure . The  file  containing  the  passwords  used  to  log  on  to  the  system 
can  be  encrypted.  Such  a scheme  will  prevent  an  on-line  password  file  from 
being  readily  intelligible  if  the  file  is  disclosed.  The  password  file  Is  stored 
in  encrypted  form  using  a one-way  or  irreversible  algorithm.  The  encrypted 
passwords  can  not  be  Inverted  to  obtain  the  original  cleartext  passwords. 

In  operation,  user-supplied  passwords  are  encrypted  and  compared  against  the 
encrypted  passwords.  A match  indicates  that  a valid  password  was  supplied. 
Presumably,  if  a penetrator  is  able  to  gain  access  to  this  file,  then  the  other 
access  control  authentication  mechanisms  could  also  be  bypassed.  Encrypting 
the  password  file  is  an  effective  countermeasure  against  accidental  disclosure 
and  casual  browsing. 


Confidence.  A high  level  of  confidence  can  be  placed  in  this  countermeasure 
to  protect  against  accidental  disclosure  and  casual  browsing.  The  confidence 
is  rated  medium  for  skilled  penetrators. 


Cost.  Depending  on  the  encryption  scheme  implemented,  the  cost  can  be 
expected  to  range  from  $5,000  to  $50,000. 


Caveats.  When  using  such  a scheme,  recovering  a forgotten  password  requires 
that  a list  of  the  passwords  in  unencrypted  form  be  maintained  manually. 


There  is  also  the  danger  that  two  or  more  clear  passwords  may  produce  the 
t .me  "one-way  transform."  This  may  allow  potential  unauthorized  access  to 


the  system.  One-way  or  irreversible  algorithms  have  been  broken  in  the  past. 

Very  short  or  user-selected  passwords  increase  the  possibility  of  compromise. 

1.3  HARDWARE 

1.3.1  Protection-State  Variables. 

Vulnerability.  If  a processor  does  not  employ  two  or  more  protection-state 
variables,  both  the  user  and  the  operating  system  must  operate  in  the  same 
state.  As  a result,  a user  may  be  able  to  perform  all  hardware  functions 
without  restriction. 

Countermeasure . A processor  should  have  at  least  two  protection-state  variables, 
l.e.,  privileged  mode/user  mode,  in  which  certain  instructions  are  illegal  except 
in  privileged  mode.  Examples  of  privileged  instructions  include  input/ output , 
memory  management,  and  context  switching.  Modification  of  the  protection-state 
variables  should  be  constrained  by  the  operating  system  and  hardware  so  that 
a program  in  user  mode  cannot  switch  itself  into  privileged  mode. 

Confidence.  Depending  upon  how  well  the  system  software  uses  protection-state 
variables,  this  countermeasure  ranges  from  low  to  high  confidence. 

Cost.  The  cost  of  this  countermeasure  is  included  in  modern  CPU  costs. 

Caveats.  Procuring  new  hardware  to  recognize  only  two  or  more  protection- 
state  variables  is  rarely  justified.  New  procurements  should  mandate  hardware 
that  meets  this  requirement  and  software  that  fully  supports  and  exploits  it. 

1.3.2  Memory  Protection  Mechanisms. 

Computer  architectures  may  not  have  mechanisms  to  restrict  main  memory  access 
by  user  programs.  Lack  of  memory  protection  mechanisms  also  makes  it  possible 
for  user  programs  to  interfere  either  inadvertently  or  maliciously  with  other 
users  or  with  the  operating  system  itself. 

Countermeasure.  All  computer  system  hardware  that  processes  classified  or 
sensitive  information  should  support  the  use  of  memory  protection  mechanisms. 
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These  mechanises  are  designed  Co  Isolate  users  from  each  ocher  and  from  Che 
operadng  system.  The  hardware  checks  each  feCch  and  score  lnscrucdon  for 
proper  access. 

Examples  of  hardware  procection  mechanisms  include  memory  bounds  regiscers 
(CDC  6000  Series),  storage  locks  and  keys  (IBM  370  series),  segmentation 
(IBM  360/67),  paging  (Honeywell  6180),  rings,  capabilities,  tagged  architec- 
ture (Burroughs  B6700),  and  descriptor-based  protection  (Plessey  250). 

Confidence.  A computer  architecture  with  a mechanism  to  restrict  memory 
access  rates  a medium  level  of  confidence.  Architectures  implementing  seg- 
mentation, paging,  rings,  or  other  more  restrictive  mechanisms  rate  high  or 
very  high. 


Cost.  The  cost  of  this  countermeasure  is  included  in  modern  CPU  costs. 


Caveats.  New  hardware  procurements  should  Include  appropriate  memory 
protection  mechanisms. 

1.3.3  Hardware  Configuration  Control  (Periods  Processing). 

Vulnerability.  Poor  security  procedures  may  make  it  possible  for  the  system 
to  be  configured  Incorrectly  following  periods  processing.  This  could  lead 
to  the  unintentional  storing  of  classified  data  on  unclassified  devices  or 
the  sending  of  classified  data  to  a remote  terminal  that  should  have  been 
disconnected. 


Countermeasure.  Establish  and  enforce  the  use  of  a configuration  control 
checklist.  This  checklist  should  contain  detailed  procedures  for  connecting 
the  individual  ADP  system  components  together  into  the  specific  system  con- 
figuration to  be  employed  during  each  period.  These  procedures  Include 
setting  all  hardware  switches,  powering  up  and  down  of  each  device,  loading 
the  standard  software  and  firmware  for  the  configuration  system,  system 
operating  procedures,  and  shutdown  and  restart  procedures.  Strict  adherence 
to  the  established  procedures  is  essential  for  overall  system  security.  To 
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insure  that  the  procedures  are  followed.  It  Is  desirable  that  two  people 
verify  the  new  configuration. 

Confidence.  The  strict  use  of  a configuration  checklist  can  provide  a high 
level  of  assurance  that  the  system  Is  correctly  configured  for  each  node  of 
operation,  such  as  top  secret  or  unclassified. 

Cost.  The  cost  of  developing  a configuration  control  checklist  is  principally 
administrative.  The  cost  of  following  this  checklist  is  the  time  for  the 
console  operator  and  another  person  to  verify  the  actual  configuration  against 
the  checklist. 

Caveats.  This  countermeasure  is  meant  to  be  used  when  changing  from  one 
period  to  another  during  periods  processing.  It  can  also  be  used  during 
start-up  after  the  computer  has  been  shut  down. 

1.3.4  Front-End  Machines. 

Vulnerability.  Security  functions  such  as  password  authentication,  access 
control,  and  security  monitoring  may  be  rendered  ineffective  by  penetration 
of  the  operating  system. 

Countermeasure.  In  some  applications  it  may  be  desirable  to  employ  a non- 
programmable minicomputer  to  perform  functions  such  as  password  authenti- 
cation, access  control,  and  security  monitoring  for  a larger  co-located  host. 

Some  advantages  of  this  device  are  the  following: 

a.  Off  loading  security  functions  may  improve  the  performance  of  the  host 
computer. 

b.  Locating  security  functions  in  a physically  separate  computer  reduces 
the  possibility  that  these  functions  may  be  compromised  due  to  host 
computer  penetration. 


c.  Isolating  the  security  functions  may  allow  for  more  rigorous  soft- 
ware verification  of  security  functions  than  is  feasible  in  a host 
computer  system. 


Confidence.  There  are  many  variables  to  consider  when  assessing  the  level  of 
confidence  for  this  countermeasure.  These  include  the  strategy  for  attaching 
the  front-end  machine  to  the  host,  the  overall  design  of  the  front-end  soft- 
ware, and  the  techniques  used  to  verify  the  design  and  Implementation. 
However,  if  the  front-end  minicomputer  is  non-programmable,  a high  level 
of  confidence  is  assured  that  the  security  functions  will  not  be  subverted. 

Cost.  The  costs  associated  with  a front-end  machine  can  be  expected  to  be 
not  less  than  $250,000. 

Caveats.  A detailed  cost  benefit  analysis  is  probably  necessary  to  weigh 
the  substantial  development  cost  against  the  expected  benefit. 

1.3.5  Data  Base  Machines 


Vulnerability.  A penetrator  of  an  operating  system  could  have  virtually 
unrestricted  access  to  all  information  available  on  the  on-line  storage 
media  managed  by  the  operating  system. 

Countermeasure.  A data  base  machine  can  be  used  in  applications  employing 
very  large  data  bases  or  data  bases  that  are  shared  by  different  computers, 
local  or  remote.  The  data  base  machine  is  a minicomputer  between  the  main 
computers  and  the  on-line  storage  media  to  manage  the  reading  and  writing 
of  the  data  base.  The  authority  of  a user  to  gain  access  to  the  system  can 
be  checked  in  the  data  base  machine.  Other  security-related  considerations 
are: 


a.  The  data  base  machine's  operating  system  and  hardware  provide  protec- 
tion to  the  Data  Base  Management  System  (DBMS)  and  to  secuHty-re levant 
data. 

b.  There  is  a forced  invocation  of  the  DBMS  to  access  data.  Any 
attempted  access  of  the  data  base  causes  a hardware  interrupt  that 
activates  the  DBMS. 


I 
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c.  Th«  DBMS  in  separated  f roe  «U  user  programing  and  direct  access 
capabilities. 

d.  Hosts  may  continue  to  operate  system-high  and  untrusted. 

Confidence.  Use  of  a data  baae  machine  would  assure  a medium  level  of 
confidence  that  a penetration  of  the  host  operating  system  would  not  allow 
unrestricted  access  to  on-line  data. 

Cost.  The  hardware  and  software  required  for  putting  a data  base  machine  Into 
operation  may  cost  $500,000  or  more  If  developed  from  scratch. 

Caveats.  Some  processing  power  would  be  gained  In  the  host  computer  by  trans- 
ferring the  data  base  management  software  to  the  data  base  machine.  This  may 
be  an  alternative  to  expanding  the  capacity  of  a saturated  host  computer.  This 
performance  gain  could  be  outweighed  by  the  overhead  associated  In  communicating 
with  the  data  baae  machine. 

1.3.6  Redundant  Equipment. 

Vulnerability.  In  some  situations  even  short  periods  of  downtime  due  to  equip- 
ment failure  may  pose  a serious  threat  of  denial  of  service  If  there  Is  no  backup 
hardware  or  contingency  plan. 

Countermeasure.  In  systems  with  a highly  critical  uptime  requirement.  Install 
enough  redundant  equipment  to  carry  on  the  minimum  critical  functions  In  the 
event  of  an  equipment  failure  In  the  main  configuration. 

Confidence.  Installation  of  sufficient  redundant  equipment  will  assure  a high 
level  of  confidence  that  a denial  of  service  will  not  occur  due  to  equipment 
failure. 

Cost.  The  costs  associated  with  this  countermeasure  may  be  high  depending 
on  how  much  hardware  must  be  duplicated. 
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Caveat*.  Karaly  will  It  be  neceaaary  to  provide  redundancy  for  the  entire 
hardware  configuration.  It  should  be  necessary  to  duplicate  only  the  minimum 
configuration  of  hardware  to  process  the  functions  for  which  the  agency  or 
department  cannot  suffer  a denial  of  service. 


1.3.7  Hardware  Error  and  Tampering  Detection. 

Vulnerability.  Undetected  hardware  errors  or  hardware  tampering  may 
compromise  security. 


Countermeasure.  Provide  hardware  with  facilities  to  detect  and  expose 
Internal  hardware  malfunctions.  Modern  hardware  normally  has  error  detection 
capabilities,  such  as  parity  error  detection.  Hardware  components  should 
cause  an  Interrupt  to  occur  whenever  there  is  a change  In  their  status. 

Software  can  then  be  developed  to  Interpret  the  Interrupt  for  possible 
tampering  or  change  In  hardware  configuration.  Software  may  also  be  developed 
to  detect  unusual  error  or  Interrupt  patterns. 

Confidence.  Error  and  detection  mechanisms  assure  a medium  level  of  confidence 
that  tampering  and  errors  will  not  disrupt  system  functions. 


Cost.  Costs  will  be  primarily  In  developing  software  to  support  these  special 
hardware  features.  Costs  may  range  from  one  man-month  to  one  man-year  of  effort 
($5,000  to  $60,000). 


Caveats.  In  addition  to  detecting  tampering  and  errors,  it  would  be  desirable 
to  implement  recovery  techniques  for  these  problems.  Costs  vary  according 
to  sophistication  of  software  detection  capabilities. 


1.3.8  Interruption-Resistant  Power. 

Vulnerability.  The  power  supply  for  the  ADP  system  may  be  Inadequate  to  meet 
the  facility's  performance  requirements. 


Countermeasure.  To  correct  for  minor  power  line  fluctuations  (transients), 
install  a voltaga  regulator  transformer.  This  regulator  will  provide  protection 
against  minor  translants  and  brownouts. 
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Confidence 


Coat.  Approximately  $100  to  $200  per  kilovolt-ampere  (KVA)  of  load 


Countermeaaure.  Protect  agalnat  short-term  power  failures  by  using  a motor 
alternator  with  an  energy  storage  flywheel.  This  configuration  will  provide 
up  to  15  seconds  of  power  and  also  protect  against  transients  and  brownouts. 


Confidence.  High 


Cost.  Approximately  $200  to  $300  per  KVA  of  load,  plus  cost  of  installation 


Caveats.  A special  room  may  be  needed  for  the  equipment 


Countermeasure.  Protect  against  long-term  power  failures  by  using  batteries. 
Depending  on  the  ampere-hour  capacity  of  the  batteries  and  the  KVA  requirements 
of  the  ADP  equipment,  the  load  may  be  supported  for  up  to  two  hours. 


Confidence. 


Cost.  Approximately  $700  to  $900  per  KVA  of  load,  plus  cost  of  site  preparation 
and  installation. 


Counte measure . To  prevent  a major  loss  of  power.  Install  a backup  generating 

system. 


Confidence 


Coat.  Approximately  $100  per  KVA  of  load,  plus  installation  and  site 
preparation  coats. 


Caveats.  In  ADP  facilities  where  environmental  controls  must  be  maintained  for 
continued  operation  of  the  ADP  facility,  the  additional  electrical  load  has  to 
be  added  to  the  generating  capacity.  Other  electrical  requirements  that  may  be 
necessary  for  operation  should  be  considered,  such  as  lighting,  alarm  systems, 
and  security  systems. 


1.4.1  Software  Development  Procedure* 


Software  deve lopmenl  procedures  at  the  AUP  facility  may  be 
inadequate  to  Insure  that  software  Is  developed  and  controlled  according  to 


Vulnerabl lit 


standards 


Countermeasure.  Establish  software  development  procedures  that  place  explicit 
controls  on  the  software  development  process.  These  controls  should  cover  the 
areas  of  program  design,  coding,  and  documentation. 


Program  design  should  Include  controls  that  cover  the  following 


(1)  Audit  trails  to  establish  an  historical  record  of  processing 


(2)  A thorough  and  comprehensive  test  plan  covering  program  testing 


(3)  Controls  on  the  accuracy  of  data,  such  as  Input  verification, 
matching  against  legal  values,  control  fields,  and  self-checking  digits 


(4)  Quantitative  controls,  such  as  transaction  counts,  batch  control 
totals,  controls  on  rounding  errors,  reasonableness  checks,  and  error 
suspense  flies. 


b.  Program  coding  should  comply  with  such  programming  controls  as  the 
following: 


(1)  Organise  programers  in  teams,  make  sure  that  no  single  programer  is 
responsible  for  an  entire  sensitive  application  system. 


(2)  Observe  naming  conventions  so  that  all  references  to  a data  element 
within  an  application  are  known  by  the  same  name. 


(3)  Use  comments  explaining  accompanying  code  segments.  These  comments 
ease  the  task  of  program  maintenance  and  help  provide  documentation. 


(*)  Use  standardised  Indentation  of  source  code  to  Improve  both  read- 
ability  and  maintainability. 

(5)  Have  a second  programer  inspect  dvery  program  before  It  is  compiled 
to  make  sure  it  conforms  to  standards,  does  not  use  restricted  functions, 
and  is  logically  complete. 

c.  Program  documentation  should  be  standardized  within  the  ADP  facility  and 
thorough  documentation  should  be  required  on  all  programs.  Documentation 
should  contain  the  following: 

(1)  A functional  description  of  the  program  written  in  a narrative  form 
describing  the  initial  definition  of  the  program  and  any  subsequent 
changes. 

(2)  A program/subprogram  section  that  contains  information  about  the 
hardware  environment,  design  elements,  and  interfaces. 

(3)  A program  specification  section  that  describes  the  program  Inputs, 
outputs,  functions  performed,  interdependencies,  and  exception  condi- 
tions. 

(A)  A program  manual  section  with  flowcharts,  source  listings,  cross- 
reference  listings,  test  data  used,  and  operating  instructions. 

These  standards  may  have  to  be  adapted  to  individual  facility  needs. 

Confidence.  A medium  level  of  confidence  can  be  Justified  by  this  counter- 
measure. 

Cost.  The  costs  associated  with  this  countermeasure  will  consist  of  the 
following: 

a.  The  one-time  administrative  cost  to  establish  procedures  for  this 
countermeasure  is  approximately  $3,000  or  one  man-month. 


b«  The  recurring  administrative  coet  to  review  and  update  theae  procedures 
periodically  la  approximately  $1,250  or  one  man-week  per  year. 

c.  The  coat  of  recurring  peraonnel  time  to  comply  with  theae  procedures  Is 
estimated  at  five  to  ten  percent  of  coding  time  for  documentation  writing  and 
10  to  15  percent  of  coding  time  for  checking  by  a second  qualified  programer. 

Caveats.  Standards  and  conventions  can  be  difficult  to  enforce  and  can  add  to 
initial  software  coats  but  may  ease  program  maintenance. 

1.4.2  Software  Maintenance  Procedures. 


Vulnerability.  The  procedures  governing  the  maintenance  of  production  computer 
software  may  have  weaknesses  that  lead  to  a compromise  of  security. 

Countermeasure . Establish  software  maintenance  procedures  that  place  explicit 
controls  on  the  software  maintenance  process.  Controls  on  the  software  main- 
tenance procedures  should  Include  the  following: 

a.  Approved  "Request  for  Change"  should  be  required  to  initiate  changes  in 
production  programs. 

b.  Program  changes  should  be  coded,  tested,  and  documented  in  accordance 
with  the  facility  software  development  and  software  acceptance  procedures. 

Theae  controls  may  have  to  be  adapted  to  individual  facility  needs. 

Confidence.  A medium  level  of  confidence  can  be  justified  by  this  counter- 
measure. 

Coat.  The  costs  associated  with  this  countermeasure  will  consist  of  the 
following: 

a.  The  one-time  administrative  cost  to  establish  procedures  for  this  counter- 
measure la  approximately  $2,500  or  two  man-weeka. 
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b.  The  recurring  administrative  cost  to  review  and  update  these  procedures 
periodically  is  approximately  $1,250  or  one  man-week  per  year. 

c.  The  cost  of  recurring  personnel  time  to  comply  with  these  procedures  Is 
estimated  at  30  percent  of  the  coding  time. 

Caveats.  Standards  and  conventions  can  be  difficult  to  enforce.  These  software 
maintenance  procedures  add  to  the  initial  cost  of  software  maintenance  but 
reduce  the  number  of  reruns  that  otherwise  would  occur  because  of  maintenance 
errors  in  software  modification. 

1.4.3  Input/Output  Procedures. 

Vulnerability.  An  ADP  facility  may  have  inadequate  procedures  for  the  accep- 
tance and  release  of  information. 

Countermeasure . Establish  input/output  procedures  that  place  explicit  controls 
on  the  submission  of  input  and  receipt  of  output.  The  input/output  procedures 
should  Include  the  following: 

a.  Require  users  to  submit  Job  requests  to  use  an  ADP  facility,  such  as 
to  enter  data  or  to  make  a production  run. 

b.  Identify  persons  authorized  to  submit  and  pick  up  work  from  the  ADP 
facility. 

c.  Control  housekeeping  activities  to  maintain  the  flow  of  work  through 
the  ADP  facility. 

d.  Give  all  users  instructions  for  obtaining  and  returning  tapes  and  disks 
to  the  magnetic  media  library. 

e.  Provide  instructions  for  the  quality  control  of  output  and  determination 
of  correct  security  classifications. 

f.  Provide  instructions  to  cover  the  signing  of  receipts  upon  receiving 
classified  material  and  obtaining  a receipt  for  classified  output. 


Confidence.  A medium  to  high  level  of  confidence  can  be  Justified  by  thl 
countermeasure. 


Costs.  The  costs  associated  with  this  counte /measure  will  consist  of  the 
following: 


a.  The  one-time  administrative  cost  to  establish  procedures  for  this  counter 
measure  Is  approximately  $2,500  or  two  man-weeks. 


b.  The  recurring  administrative  costs  to  review  and  update  these  procedures 
periodically  Is  approximately  $1,250  or  one  man-week  per  year. 


c.  The  continuing  salary  costs  of  the  persons  appointed  to  the  input/output 
control  group. 


1.4,4  Access  Procedures 


Vulnerability.  Inadequate  procedures  for  controlling  access  to  supplies, 
computer  equipment,  and  facilities  can  lead  to  unauthorized  disclosure,  theft 
fraud,  etc. 


Countermeasure 


Establish  procedures  for  controlling  access  to  the  ADP  facility, 
supply  storage  area,  and  other  associated  sites  such  as  remote  terminal  areas  and 


backup  sites 


a.  Procedures  for  controlling  access  to  the  ADP  facility  include  the 
following: 


(1)  Access  lists . 

(2)  Escort  procedures. 

(3)  Identification  badges. 

(4)  Guards. 

(5)  Mechanical  or  electronic  door  locks. 

(6)  Prompt  removal  of  transferred  or  terminated  employees  from  access 
lists  and  the  mandatory  turn-ln  of  any  facility  Identification  or  access 
keys  or  cards. 


b.  Periodic  inventories  should  be  conducted  of  cosiputer  equipment  and 
related  supplies. 

Confidence. 

a.  The  level  of  confidence  placed  in  controlling  access  to  the  ADP  system 
should  be  medium  to  high. 

b.  The  level  of  confidence  in  procedures  for  accounting  of  computer  equip- 
ment and  related  supplies  should  be  medium  to  high. 

Cost.  The  costs  associated  with  this  countermeasure  will  consist  of  the 
following: 

a.  Costs  for  procedures  controlling  access  to  the  ADP  facility  will  be: 

(1)  The  one-time  administrative  cost  to  establish  these  procedures 
is  approximately  $1,250  or  one  man-week. 

(2)  The  recurring  administrative  cost  to  review  and  update  these  pro- 
cedures is  approximately  $2,500  or  two  man-weeks  per  year. 

(3)  The  one-time  cost  to  install  whatever  access  control  method  is 
selected  (see  countermeasure  1.7.1,  "Access  to  the  Computer  Center"). 

(4)  The  ongoing  cost  of  maintaining  whatever  method  of  access  control 
is  selected. 

b.  The  costs  of  procedures  for  accounting  for  computer  equipment  and  related 
supplies  will  be  recurring  administrative  costs  to  conduct  periodic  inven- 
tories. 

1.4.5  Waste  Procedures. 


Vulnerability.  Procedures  may  be  inadequate  to  dispose  of  ADP  waste  materials 


Countermeasure . Establish  procedures  that  clearly  define  the  ADP  waste 
materials  that  are  to  be  disposed  of  In  a secure  manner  and  provide  the 
facilities  for  secure  disposal.  These  procedures  should  identify  and  provide 
destruction  facilities  for  the  following: 

a.  Paper  and  paper  products,  including  carbon  paper. 

b.  Printer  ribbons. 

c.  Magnetic  tapes,  disks,  drums,  memory,  etc. 

d.  Microfilm  and  microfiche  if  used. 

Destruction  facilities  include  incinerators,  shredders,  disintegrators,  pulp 
machines,  magnets,  and  tape  degaussers. 

Confidence.  The  level  of  confidence  in  this  countermeasure  is  very  high. 

Cost.  The  costs  associated  with  this  countermeasure  will  be: 

a.  The  one-time  administrative  cost  to  develop  these  procedures,  estimated 
to  be  $250  or  one  man-day. 

b.  The  one-time  cost  to  purchase  and  install  whatever  method  of  destruction 
is  selected.  Shredders  and  disintegrators  range  in  price  from  $2,000  to 
$6,000. 

Caveats.  Method  of  destruction  for  ADP  waste  materials  must  meet  DOD  standards. 

1.4.6  Emergency  Procedures. 

Vulnerability.  Security  procedures  for  emergency  situations  may  be  inadequate, 
absent,  or  unenforceable. 

Countermeasure . Establish  well-conceived  and  technically  feasible  emergency 
procedures  and  test  these  procedures  periodically.  Sources  of  advice  for 
the  development  of  these  procedures  are  the  following: 

a.  The  installation  fire  marshall. 
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b.  The  facility  engineer. 

c.  The  installation  security  office. 

These  procedures  will  normally  cover  the  following: 

s.  Provide  for  off-elte  storage  of  duplicate  records  and  files. 

b.  Arrange  for  processing  critical  applications  at  other  ADP  facilities. 

c.  Identify  material  to  be  evacuated  or  destroyed. 

y 

d.  Designate  a single  point  of  contact  for  developing  emergency  procedures. 

e.  Provide  transportion  in  the  case  of  emergency  evacuation. 

Confidence.  The  level  of  confidence  in  this  countermeasure  should  be  medium  to 
high. 

Cost.  The  coats  of  this  countermeasure  will  consist  of  the  following: 

a.  The  one-time  administrative  cost  to  establish  these  procedures  Is 
approximately  $10,000  or  two  man-months. 

b.  The  recurring  administrative  cost  to  review  and  update  these  procedures 
periodically  should  be  approximately  $2,500  or  two  man-weeks  per  year. 

c.  An  undetermined  one-time  cost  to  provide  the  facilities  to  carry  out 
these  procedures. 

d.  An  undetermined  recurring  cost  to  exercise  these  procedures  periodically. 

Caveats.  Training  and  periodic  exercises  are  essential  to  insure  that  emergency 
procedures  would  be  carried  out  in  an  actual  emergency. 

1.4,7  Operations  Procedures. 
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Vulnerability.  The  operations  procedures  may  be  Inadequate  and  lead  to  dis- 
closure, destruction,  or  a denial  of  service. 

Countemeaaure.  Establish  operations  procedures  that  clearly  and  explicitly 
state  haw  the  ADP  facility  will  function  on  a day-to-day  basis.  Sons  of  the 
points  that  theae  procedures  should  cover  are  the  followings 

a.  Systee  start-up,  shutdown  and  syateia  crashes. 

b.  Priority  scheduling  of  production  runs. 

c.  Computer  operations  personnel  Interface  with  users  and  programers. 

d.  Separation  of  duties. 

e.  Rotation  of  duties. 

Confidence.  The  level  of  confidence  In  this  countermeasure  should  be  medium 
to  high. 


I ) 


Cost.  The  costs  of  this  countermeasure  will  consist  of  the  following: 

a.  The  one-time  administrative  cost  to  establish  these  procedures  is  approx- 
imately $5,000  or  one  man-week  of  effort. 


b.  The  recurring  administrative  cost  to  review  and  update  these  procedures 
is  approximately  $2,500  or  two  man-weeks  per  year. 

c.  The  cost  of  training  exercises  on  a periodic  basis  is  calculated  on  the 
frequency,  duration,  and  number  of  personnel  Involved. 


1.4.8  Security  Procedures  and  Security  Officer. 

Vulnerability.  Sacurlty  is  a full-time  Job  and  each  ADP  facility  should  have 
an  ADP  System  Security  Officer  (ADPSS0).  The  ADPSS0  must  have  adequate 
authority  to  conduct  an  appropriate  security  program. 


Countermeasure.  Establish  the  position  or  function  of  ADPSSO  and  appoint 
someone  in  writing  to  fill  the  position  or  carry  out  the  function.  The  ADPSSO 
should  be  located  within  the  ADP  facility  organisational  structure  so  that  the 
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ADPSSti  reports  directly  to  the  ADP  facility  commander  or  aanager.  Soae  of  the 
functions  of  the  ADPSSO  should  be: 


a.  Serves  as  the  single  point  of  contact  for  ADP  security  at  the  ADP 
facility. 

b.  Analyses  the  ADP  environment  to  identify  vulnerabilities,  assess  threats, 
and  apply  countermeasures  when  needed. 

c.  Develops,  maintains,  and  documents  security  requirements  and  operating 
procedures. 

d.  Insures  that  all  personnel  who  Install,  operate,  maintain,  or  use  the  ADP 
system  know  system  security  requirements  and  their  responsibilities. 


e.  Establishes  methods  for  detecting,  reporting,  Investigating,  and  resolving 
ADP  security  incidents. 

f.  Establishes  procedures  for  controlling  changes  to  system  hardware,  soft- 
ware, applications,  passwords,  and  central  facility  and  terminal  access. 


g.  Conducts  periodic  audits  of  security  procedures  and  controls. 

I ] 

Confidence.  The  level  of  confidence  in  this  countermeasure  should  range  from 
medliaa  to  very  high. 

Cost.  The  costs  associated  with  this  countermeasure  will  consist  of: 

a.  The  recurring  cost  of  the  full  or  part-time  salary  of  the  individual 
appointed  as  ADPSSO. 

b.  The  one-time  cost  of  training  the  individual  appointed  as  ADPSSO. 


1.5  PERSONNEL 


Vulnerability.  Poor  aanageaent  attitude  and  policy  can  lead  to  lapeea  in 


aacurity 


Countermeasure.  To  prevent  lapeea  in  security,  aanageaent  should  actively 
coaply  with  security  regulations  and  control  procedures  and  aake  sure  that 
eaployees  do  the  saae.  Manageaent  should  also  seek  out  ways  to  laprove 
security*  Training  and  indoctrination  courses  should  be  given  regularly  to 
eaployees* 


Confidence.  Mediua 


Cost.  The  cost  depends  on  the  tlae  needed  to  develop  a training  course  and 
the  aan-houra  required  to  train  each  eaployee. 


Counteraaaaure.  To  prevent  eaployee  alsuae  of  or  daaage  to  the  ADP  facility 
screen  potential  eaployees  for  personal  Integrity,  stability,  and  conscien- 
tiousness. Maintain  close  and  effective  coaaunicatlons  with  the  staff  to 
prevent  eaployee  disaatlsf action  or  to  deal  with  coaplalnts  If  they  arise. 


Confidence.  Mediua 


Cost.  The  cost  depends  on  the  aan-hours  expended  on  pre-hire  screening  and 
aanageaent  participation. 


Counteraaaaure . To  laprove  safety  and  security,  periodically  observe  the 
work  envlronaent  and  work  habits  of  eaployees.  Observation  will  defect  poor 
houaekeeping  habits  that  aay  Increase  the  possibllty  of  physical  losses, 
such  as  tapes  left  on  heaters,  trash  left  in  coaputer  rooa,  or  coffee  cups 
on  equlpaent.  Observation  will  also  detect  poor  work  habits  that  aay  coaproalae 
security,  such  aa  listings  left  unattended  or  files  left  open  for  unauthor- 
ised browsing. 


Confidence.  Mediua 
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Vulnerability*  The  personnel  of  the  ADP  system  or  facility  can  represent 
a degree  of  vulnerabilty  that  could  be  exploited  to  compromise  security* 

Countermeasure.  To  reduce  the  vulnerability  of  a compromise  of  classified 
defense  information,  require  all  personnel  with  unescorted  access  to  the  ADP 
facility  to  have  a security  clearance.  The  level  of  the  security  clearance 
must  be  at  least  as  high  as  the  level  of  information  being  processed. 
Uncleared  personnel  must  be  escorted  by  authorized  persons  and  sensitive 
Information  must  be  protected. 

Confidence.  High. 

Cost.  The  approximate  cost  to  issue  a TOP  SECRET  security  clearance  by  the 
Defense  Industrial  Security  Clearance  Office  is  between  $1,000  and  $10,000. 


Countermeasure . To  reduce  the  risk  of  inadvertent  damage  by  personnel,  employ 
competent  and  well-trained  personnel.  Make  clear  the  duties  and  obligations 
of  employees. 

Confidence.  Medium. 


Cost.  None. 

1.6  EMANATIONS 

1.6.1  Emanations  Security. 

Vulnerability.  Some  components  of  a computer  and  computer  peripherals  emanate 
data  signals  various  distances  when  processing  or  displaying  data.  These 
emanated  data  signals  can  be  recorded  by  hostile  monitoring  equipment. 

Countermeasure.  Measures  to  control  compromising  emanations  (TEMPEST)  are 
required  on  systems  that  process  classified  information  under  the  provisions 
of  DOD  Directive  S-5200.19,  10  February  1968,  "Control  of  Compromising 
Emanations  (U)."  There  are  basically  three  methods  recommended  for  controlling 
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compromising  emanations: 


\ 
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a.  To  provide  tlu>  equipment  with  a physical  control  zone  sufficient  to 
preclude  successful  hostile  intercept  actions. 

b.  To  Implement  minimum  essential  countermeasures  to  contain  compromising 
signals  within  a physical  control  zone. 

c.  To  design  or  modify  the  equipment  to  limit  the  strength  of  possible 
compromising  signals  to  acceptable  limits  considering  the  physical  control 
zone  available. 

The  equipment  must  be  tested  to  determine  the  physical  control  zone  required, 
the  countermeasures  which  are  required,  or  the  possible  equipment  modifications 
needed.  A physical  control  zone  does  not  necessarily  require  a fenced  area, 
guarded  area,  or  a closed-circuit  surveillance  system,  provided  sufficient 
control  is  maintained  to  prohibit  access  for  an  unauthorized  effort.  (See 
Military  Standardization  Handbook  232[Uj.)  The  physical  control  zone  require- 
ment may  ho  satisfied  by  security  measures  currently  In  place. 

Conf ldencc.  if  a large  enough  physical  control  zone  Is  available  or  the 
minimum  essential  countermeasures  are  implemented  or  the  equipment  is  designed 
or  modified  to  limit  the  strength  of  emanations,  then  a high  degree  of  confidence 
is  gained. 

Cost.  The  costs  of  containing  compromising  emanations  vary  depending  on  the 
equipment  to  be  purchased  and  installation  costs. 

1.6.2  Radios  and  Tape  Players. 


2 

Physical  control  zone  is  defined  as  the  space  surrounding  equipment  which 
processes  classified  information,  that  is  under  sufficient  physical  and 
technical  control  to  preclude  a successful  hostile  intercept  of  classified 
information  from  within  this  space. 


-41 


Vulnerability.  Radio* 


» tap*  player*,  and  other  person* lly-owned  equipment 
aay  be  transmitter*  of  electromagnetic  emanation*,  which  in  turn  may  be 
modulated  by  nearby  ADP  equipment. 


Countermeasure.  Radios,  tape  players,  and  personally-owned  electronic  equip- 
ment should  be  banned  from  the  computer  room  at  lnatal la t Ions  processing  classified 
Information.  Exception*  to  this  ban  include  equipment  that  has  been  technically 
inspected  and  approved. 


Confidence.  The  strict  enforcement  of  thia  countermeasure  insures  a high  degree 
of  confidence. 


Coat.  The  costs  of  this  countemeasure  are  the  following 


a.  The  Initial  admlnstratlv*  cost  of  one  man-week  ($1,250)  to  develop  the 
procedure  for  this  countermeasure. 


b.  The  recurring  coat  to  conduct  another  technical  Inspection  each  time  the 
equipment  Is  brought  back  into  the  secure  area. 


1.7  PHYSICAL 


1.7.1  Acceaa  to  the  Computer  Center 


Vulnerability.  The  physical  aspects  of  the  ADP  facility  may  make  it  difficult 
to  control  access  to  the  facility. 


Countermeasure.  To  prevent  intruders  from  gaining  access  to  the  Installation 
install  an  external  surveillance  system.  Elements  of  the  system  Include  an 
external  lighting  system,  a roving  guard  patrol,  and  closed  circuit  television 
surveillance.  Also  install  Intruder  alarms  on  all  unattended  windows  and 
doors. 


Confidence 
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Cost.  The  cost  of  Intruder  alarm  systsas  and  television  surveillance  la  highly 
dependent  on  building  design,  sophistication  of  equipaent  to  be  used,  and  local 
labor  rates. 

Counteruea8ure.  To  prevent  unauthorised  persona  from  entering  the  Installation 
or  ADP  facility,  establish  a guard  force.  The  guard  will  verify  and  admit 
authorised  personnel,  maintain  a visitor  log,  and  insure  that  visitors  are 
properly  escorted. 

Confidence.  Medium. 

Cost.  The  cost  of  guard  service  depends  on  local  labor  rates. 

Countermeasure.  To  prevent  unauthorised  persons  from  entering  the  ADP  facility. 
Install  an  access  system.  The  following  systems  provide  protection  by  requiring 
the  entrant  to  unlock  a door.  These  systems  may  be  used  singly  or  in  combin- 
ation. 


a.  Conventional  key  and  lock  set 

b.  Electronic  key  system 

c.  Mechanical  combination  locks 

d.  Electronic  combination  locks 


Confidence.  High. 

Cost.  The  following  list  provides  the  approximate  cose  per  door: 

a.  Conventional  key  and  lock  set  - $15 

b.  Electronic  key  system  - $400  or  more 

c.  Mechanical  combination  locks  - $40  or  more 

d.  Electronic  combination  locks  - $500  or  more 
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Caveats.  The  environment  control  system  and  storage  rooms  should  also  be 
secured  to  prevent  unauthorised  access. 

Vulnersblllty.  The  physical  layout  inside  the  ADP  facility  may  make  it 
difficult  to  control  the  movement  of  persons  within  the  ADP  facility. 


Countermeasure , To  provent  unauthorised  access  to  the  coaputer  room  or  other 
critical  areas,  such  as  tape  library  or  communication  equipment  area.  Install 
an  access  system.  The  same  types  of  locked-door  systems  described  in  the 
previous  countermeasure  are  applicable. 


Conf ldence 


Cost.  See  previous  countermeasure 


Countermeasure . To  prevent  unauthorised  access  to  critical  areas  that  are 
unattended,  install  a passive  security  system.  The  following  detection  devices 
csn  be  used  singly  or  in  combination: 


a.  Photometric  system 

b.  Motion  detection  system 

c.  Acoustical  system 

d.  Proximity  system 


Confidence 


Cost.  The  following  list  provides  the  approximate  cost  for  each  system 
not  including  installation  costs: 


a.  Photometric  system  - $500 

b.  Motion  detection  system  - $250  or  more 

c.  Acoustical  system  - $100 

d.  Proximity  system  - $350 


Countermeasure . To  minimise  access  to  the  computer  area,  access  should  be  on 
a need-to-know  basis.  Visitors,  maintenance  personnel,  and  customer  engineers 
should  provide  positive  identification  and  always  be  escorted. 


Confidence.  Medium 


1.7.2  Fire  Protection 


Vulnerability.  The  fire  protection  may  be  Inadequate,  Baking  the  ADP  system 
or  facility  vulnerable  to  fire. 

Countermeasure.  Install  a fire  detection  system.  Place  additional  fire 
detectors  above  false  ceilings,  below  raised  floors,  and  In  air  conditioning 
ducts.  Install  a control  panel  that  can  identify  the  location  of  the  detector 
t ha l causes  un  alarm. 

Confidence.  High. 

Cost.  Approximately  $3,500  plus  installation  costs  for  a 2,000  square  foot 
room. 

Countermeasure.  Make  fire  extinguishers  available  in  accessible  locations. 

Mark  each  extinguisher  as  to  the  type  of  fire  for  which  it  is  to  be  used.  For 
example,  a class  A ext Inguisher  should  only  be  used  on  paper  or  wood. 

Confidence.  Med  I um. 

Cost . A class  A extinguisher  costs  approximately  $35.  A class  BC  extinguisher 
costs  approximately  $60. 

Countermeasure.  To  provide  a means  of  extinguishing  or  controlling  a fire 
in  tb-  v**  facility,  install  an  automatic  fire  extinguishing  system.  Three 
typt  •>  systems  are:  a water  sprinkler  system,  a carbon  dioxide  system,  and 
a HALOi.  COl  deluxe  system.  Install  alarms  to  alert  personnel  if  the  system 
is  activated.  A water  flow  alarm  can  be  used  for  sprinkler  systems  and 
a pressure  sensor  alarm  can  be  used  for  gaseous  systems. 

Confidence.  Very  high. 

Cost.  The  approximate  coat  for  each  system  follows: 

a.  Water  sprinkler  system  In  a new  building  is  $1.00  per  square  foot. 
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b.  Retrofitted  water  sprinkler  system  is  $3.00  per  square  foot. 

c.  HALO N- 1302  system  Is  $.30  per  cubic  foot  plus  Installation. 

d.  Carbon  dioxide  systea  is  $.42  per  cubic  foot  plus  Installation. 
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Countermeasure.  Provide  a fire  protection  plan  to  prevent  the  cause  of  fire 
and  to  extinguish  a fire  quickly.  Develop  the  fire  plan  with  the  aid  of 
the  fire  aarshall.  Conduct  frequent  inspections  to  identify  and  eliminate 
potential  fire  hazards. 

Confidence.  Medium. 

Cost.  Minimal. 

Countermeasure . To  protect  equipment  when  a fire  is  detected.  Install  and 
clearly  mark  emergency  power  disconnect  switches.  Make  plastic  sheeting 
available  to  cover  equipment  to  protect  against  water  damage.  Store  magnetic 
tapes  and  removable  disk  packs  in  fireproof  or  fire-resistant  containers 
or  rooms. 

Confidence.  Medium. 

Cost.  A fireproof  safe  that  can  store  48  magnetic  tape  reels  costs  approxi- 
mately $2,000. 


1.7.3  Environmental  Control  Systems. 

Vulnerability.  The  environmental  support  systems  (air  conditioning,  heating, 
and  humidity  control)  may  be  inadequate  to  meet  the  mission's  performance 
requirements. 

Countermeasure.  To  protect  against  the  failure  of  the  air  handling  unit  (AHU) 
install  multiple  units.  For  example,  use  three  20-ton  AHUs  in  place  of 
one  50-ton  unit.  There  should  be  enough  capacity  to  maintain  the  environment 
with  one  unit  out  of  service.  The  air  handling  units  circulate  the  computer 
room  air,  provide  temperature  and  humidity  control,  and  filter  the  air. 
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Confidence.  High. 

Cost.  The  approximate  coat  of  an  AHU  Is  $350  per  ton  plus  installation  costs. 

Countermeasure.  To  protect  against  the  failure  of  the  heating  or  cooling  unit 
(compressor,  heat  pump,  or  circulation  pump).  Install  multiple  units.  There 
should  be  adequate  capacity  with  one  unit  out  of  service. 

Confidence.  High. 

Cost.  The  approximate  cost  of  a cooling  unit  Is  $800  per  ton  plus  installation 
costs. 

Countermeasure.  If  the  environmental  control  system  fails,  the  capability  to  use 
outside  air  may  be  beneficial.  Depending  on  location  and  weather,  the  use 
of  direct  outside  air  via  vents  and  fans  may  be  sufficient  to  maintain  the 
temperature  and  humidity  of  the  facility. 

Confidence.  Low. 

Cost.  The  cost  depends  on  the  extent  of  modlf icatons  and  on  local  labor  rates. 

Countermeasure.  Install  an  AHU  designed  to  use  and  recirculate  Inside  air 
in  the  event  that  outside  air  becomes  unusable.  The  outside  air  may  contain 
noxious  fumes  or  may  be  of  such  poor  quality  that  the  filtration  system  would 
not  be  useful. 

f 

Confidence.  Medium. 

Cost.  The  cost  depends  on  the  extent  of  modifications  and  on  local  labor  rates. 
1.7.4  Building  Construction. 

Vulnerability.  The  construction  of  the  building  for  the  ADP  system  may 
Introduce  vulnerability. 
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Countermeasure.  To  protect  against  water  daaage  caused  by  flooding,  install 
pumps  to  remove  water.  Hake  sure  that  floor  drains  contain  check  valves  to 
prevent  water  from  entering  the  coaputer  rooa.  Install  curbs  around  the 
facility  or  seal  walla  to  divert  water  and  prevent  seepage. 

Confidence.  High. 

Coat.  A pump  aay  cost  froa  $600  to  $5,000,  depending  on  the  size  required. 

Counteraeasure.  To  prevent  accidental  flooding  from  plumbing  failure,  re-route 
pipes  from  above  the  facility.  If  this  cannot  be  done,  make  sure  that 
shutoff  valves  are  accessible  and  clearly  identified.  Water  pipes  can  be 
instrumented  to  detect  any  abrupt  loss  of  pressure  and  to  alert  personnel. 

Confidence.  High. 

Cost.  The  cost  depends  on  the  extent  of  modifications  and  on  the  local  labor 
rate. 

Countermeasure.  To  protect  against  damage  caused  by  an  earthquake,  locate 
the  ADP  facility  in  a building  with  high  resistance  to  earthquake  damage. 

The  building  should  be  located  to  minimize  risk  of  damage  from  neighboring 
buildings  or  structures. 

Confidence.  High. 

Cost.  Unknown. 

Countermeasure . To  protect  against  a fire  outside  the  ADP  facility,  install 
fire  walls  and  fire  doors.  Install  fire  dampers  in  all  ducts  leading  to  the 
facility  to  prevent  smoke  from  entering. 

Confidence.  High. 

Cost.  The  approximate  cost  of  a fire  door  1b  $170  plus  installation. 
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1.8  COMMUNICATIONS 

1.8.1  Communications  Lines  ani  Links. 

Vulnerability.  It  Is  possible  to  tap  or  monitor  surreptitiously  a data 
communication  line  or  link;  any  data  passed  along  the  communications  lines 
or  links  are  susceptible  to  hostile  Interception  or  manipulation. 

Countermeasure.  Transmission  and  communication  lines  and  links  butween  com- 
ponents of  an  ADP  system  must  be  secured  at  a level  appropriate  for  the  material 
to  be  transmitted. 

In  the  case  of  classified  material,  the  countermeasures  for  secure  communications 
lines  or  links  are  mandated  by  DOD  Directives.  Contact  Naval  Electronics  Systems 
Security  Engineering  Facility. 


For  sensitive  information  or  Privacy  Act  data,  secure  transmission  Is  not 
mandated.  However,  during  transmission  some  security  should  be  provided, 
especially  for  sensitive  data  such  as  procurement  data.  This  type  of  protection 
could  be  achieved  through  the  use  of  the  National  Bureau  of  Standards  Data 
Encryption  Standard  (DES),  published  as  Federal  Information  Processing 
Standard  (FIPS)  Publication  Number  46. 


Confidence.  A very  high  level  of  confidence  can  be  placed  in  the  mandated 
cryptographic  techniques  used  for  classified  information.  A high  level  of 
confidence  can  be  placed  in  the  DES. 

Coat.  A hardware  implementation  of  the  DES  should  be  less  than  $5,000. 

Caveats.  An  important  factor  affecting  the  level  of  confidence  in  the  DES 
is  the  type  of  security  afforded  the  keys  used  by  the  DES.  A secure  method 
must  be  developed  to  distribute  the  keys  to  the  users  of  the  system.  Use  of 
the  DES  in  software  is  not  approved  at  this  time. 

1.8.2  Terminal  Identification. 

I \ 
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Vulnerability.  Many  systems  have  Improper  or  Insufficient  authentication  of 
hardware.  This  can  lead  to  a situation  where  an  operating  system  cannot 
properly  Identify  a terminal  before  responding  to  a request  for  data  from 
the  terminal.  There  Is  the  possibility  that  data  will  be  routed  to  a terminal 
whose  location  in  not  secure  enough  to  support  the  storage  of  the  data. 

Countermeasure.  Kach  remote  terminal  should  be  individually  Identified  by 
a hardware  feature  in  synch  with  the  operating  system.  That  Is,  the 
communications  port,  channel,  and  subchannel  number  should  always  communicate 
with  the  same  remote  terminal  unless  physically  switched  at  the  central 
site. 

Confidence.  A high  level  of  confidence  can  be  assigned  to  this  countermeasure. 

Cost.  The  taste  associated  with  this  countermeasure  can  be  substantial  if 
new  terminals  must  be  bought  that  have  a unique  identification  symbol  associated 
with  them. 

Caveats.  Confidence  In  this  countermeasure  depends  on  how  often  the  hardware 
identification  symbol  in  each  terminal  series  is  repeated.  The  manner  of 
implementation  of  the  hardware  identification,  i.e.,  whether  an  identification 
is  secure,  also  affects  the  confidence  level. 

1.8.3  Terminal  Identification  by  Call  Back. 

Vulnerability.  Many  systems  have  insufficient  means  to  identify  valid 
terminal  users.  Without  some  form  of  terminal  identification  there  is  no 
way  to  assure  that  a potential  penetrator  terminal  is  not  asking  to  be 
connected. 

Countermeasure.  For  systems  that  allow  dial-up  terminal  connection  and  that 
do  not  have  an  automatic  hardware  terminal  identification  feature,  install 
a call-back  terminal  identification  procedure. 

The  call-back  procedure  identifies  a terminal  dialing  into  a computer  system. 

The  central  computer  first  disconnects  the  calling  terminal,  then  re-establishes 
the  connection  by  dialing  the  telephone  number  of  the  calling  terminal. 
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Confidence.  A call-back  terminal  Identification  procedure  assumes  a high  level 
of  confidence  that  the  terminal  asking  to  be  connected  Is  at  least  In  the 
same  location  as  the  authorised  terminal. 

Cost.  The  costs  associated  with  this  countermeasure  should  be  less  than 
$2,000.  This  cost  may  be  reduced  by  having  the  computer  operator  or  switch- 
board operator  perform  the  call-back  procedure  rather  than  Installing  automatic 
call-hack  software. 

Caveats.  If  a procedure  Is  set  up  to  have  either  the  computer  console  operator 
or  a switchboard  operator  perform  the  call-back  procedure,  they  must  be  instructed 
to  call  back  the  number  at  the  place  where  the  terminal  Is  supposed  to  be, 
rather  than  a number  that  the  terminal  operator  gives  them. 

1.8.4  Handshaking. 

Vulnerability.  Without  some  type  of  authentication  procedure,  there  Is  no  way 
a system  and  a user  can  identify  each  other. 

Countermeasure . Handshaking  la  a procedure  by  which  a system  and  a user 
(also  two  users  or  two  systems)  exchange  identifiers  to  verify  each  other's 
identity.  The  identifiers  can  be  passwords  or  even  the  successful  execution 
of  an  algorithm. 

Confidence.  The  confidence  gained  by  using  this  countermeasure  is  medium. 

Cost.  The  costs  associated  with  this  countermeasure  are  In  software  development 
and  they  should  be  no  greater  than  one  man-month  ($5,000). 

Caveats.  Confidence  in  this  countermeasure  can  vary  as  the  protocol  for  hand- 
shaking varies.  An  exchange  of  common  passwords,  such  as  name  of  person  and 
ldenflcation  number  of  a hardware  unit,  will  lower  the  level  of  confidence. 

Using  a pseudo-random  number  transformation  may  raise  the  level  of  confidence. 


1.8.5  Telephone  Instruments 


Vulnerability*  Factory-installed  microphones  in  the  handset  and  ringers  on 
standard  telephone  instruments  can  act  as  microphones,  either  through  design 
or  intentional  manipulation.  They  can  then  be  used  to  monitor  surreptitiously 
data  signals  and  voices  in  the  area  around  the  telephone  instruments. 


Countermeasure.  Relocate  telephone  Instruments  1.8  metors  (6  feet)  or  more 
from  equipment  used  to  process  classified  information.  To  minimize  the 
technical  security  hazard  posed  by  factory-supplied  telephone  instruments, 
remove  the  factory-supplied  ringer  from  each  instrument  and  install  a protective 


ringing  device 


Confidence.  You  can  be  assured  of  a high  level  of  confidence  that  this 
countermeasure  will  substantially  lower  the  risk  that  classified  emanations 
or  audio  will  travel  out  of  a secure  area  over  non-secure  telephone  instruments 


Cost.  The  cost  per  telephone  will  be  less  than  $50 


1.8.6  Protected  Wireline  Distribution  System  (PWDS) 


Vulnerability.  Unprotected  communications  links  can  cause  an  AOP  facility  to 
be  vulnerable  to  unauthorized  activities  including  wiretapping  and  spoofing. 


Countermeasure.  In  some  classes  of  ADP  systems,  it  is  desirable  to  employ  a 
Protected  Wireline  Distribution  System  (PWDS).  A PWDS  is  a telecommunications 
system  that  has  been  approved  by  a legally  designated  authority.  It  is  a 
system  for  which  electromagnetic  and  physical  safeguards  have  been  applied 
to  permit  safe  electrical  transmission  of  unencrypted  sensitive  information. 
Contact  the  ADPSSO  for  assistance. 


Confidence.  A PWDS  will  assure  a high  level  of  confidence  that  the  communl 
cations  system  is  secure  against  unauthorised  activities. 


Spoofing:  The  deliberate  inducement  of  a user  or  a resource  to  take  an 
Incorrect  action. 


U 


Cost.  The  costs  associated  with  a PUDS  are  high.  However,  the  costs  of  a 
PWDS  for  a secure  terminal  area  within  the  same  building  but  outside  the 
secure  computer  center  way  be  less  expensive  than  cryptographic  protection. 
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Caveats.  Once  a PUDS  has  been  run  to  a terminal  or  group  of  terminals,  It  Is 
expensive  to  eove  the  terminals  and  the  PWDS  lines. 


1.8.7  Communications  Path  Alternatives. 


Vulnerabilty.  A communications  system  may  be  totally  reliant  on  a set  of 
communications  paths.  If  one  path  becomes  unavailable,  serious  denial  of 
service  problems  may  occur. 

Countermeasure . Each  path  in  a communications  system  should  have  an  alternative 
route.  There  should  be  more  than  one  way  to  get  from  one  node  to  another  node 
in  the  communications  system. 
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Backup  paths  can  be  established  physicslly  (with  hardware)  and  logically  (with 
software). 


Confidence.  The  greater  the  connectivity,  i.e.,  the  more  alternative  routes 
there  are,  the  greater  the  confidence  will  be  that  a serious  denial  of  service 
will  not  occur.  One  backup  path  gains  a medium  level  of  confidence  at  best. 

Cost.  It  is  expensive  to  retrofit  software  and  hardware  for  establishing 
alternative  paths  in  a communications  system.  Depending  on  the  size  of  the 
communications  system,  this  cost  may  be  as  high  as  $1  million.  The  cost  of 
modifications  to  the  software  only  is  still  high  because  of  the  complexity  of 
this  software. 

Caveats.  Some  communications  manufacturers  have  been  successful  in  solving 
this  problem.  The  G.E.  Mark  III  network  claims  more  than  99  percent  uptime. 
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